CVE-2025-7880 is a vulnerability identified in Metasoft 美特软件's MetaCRM product, specifically affecting versions 6.4.0 through 6.4.2. The issue resides in the /business/common/sms/sendsms.jsp file, where the 'File' argument can be manipulated to allow unrestricted file uploads. This vulnerability enables an attacker to upload arbitrary files to the server without proper validation or restrictions. The attack can be executed remotely without requiring user interaction or authentication, increasing the risk of exploitation. Although the vendor was notified early, no response or patch has been provided to date. The vulnerability has a CVSS 4.0 base score of 5.3, categorized as medium severity, reflecting moderate impact and ease of exploitation. The unrestricted upload flaw could allow attackers to upload malicious scripts or executables, potentially leading to remote code execution, data compromise, or disruption of service. The lack of authentication and user interaction requirements further heightens the risk, as attackers can exploit this vulnerability directly over the network. While no known exploits are currently reported in the wild, the public disclosure of the exploit code increases the likelihood of future attacks.

For European organizations using MetaCRM versions 6.4.0 to 6.4.2, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access, data breaches, or system compromise, impacting confidentiality, integrity, and availability of sensitive customer relationship management data. Given that CRM systems often contain critical business and customer information, exploitation could result in financial losses, reputational damage, and regulatory penalties under GDPR. The ability to upload arbitrary files remotely without authentication means attackers can deploy web shells or malware, potentially pivoting within the network or exfiltrating data. This threat is particularly concerning for organizations with internet-facing MetaCRM instances or insufficient network segmentation. The absence of vendor patches necessitates immediate risk mitigation to prevent exploitation. Additionally, the medium severity rating suggests that while the vulnerability is exploitable, the impact might be limited by environmental factors such as existing security controls or network architecture.

European organizations should implement immediate compensating controls given the lack of an official patch. These include: 1) Restricting access to the MetaCRM application to trusted IP addresses or VPN-only access to reduce exposure. 2) Implementing web application firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts targeting the /business/common/sms/sendsms.jsp endpoint. 3) Conducting thorough input validation and sanitization on the server side if custom development is possible, to enforce strict file type and size restrictions. 4) Monitoring server logs for unusual upload activity or unexpected file creations in web directories. 5) Isolating the MetaCRM server in a segmented network zone with minimal privileges to limit lateral movement if compromised. 6) Preparing incident response plans to quickly address any signs of exploitation. 7) Engaging with Metasoft for updates or patches and planning for upgrade once available. 8) Regularly backing up critical data and verifying restoration procedures to mitigate potential data loss.